Chapter 16 oauth2authorizationrequestredirectwebfilter source code analysis

OAuth2AuthorizationRequestRedirectWebFilter Filters are used to redirect to third-party authorization servers .

1. overview

OAuth2AuthorizationRequestRedirectWebFilter Filter dependent class ：

• ServerAuthorizationRequestRepository： Storage AuthorizationRequest object
• ServerOAuth2AuthorizationRequestResolver： Intercept the specified request and parse

OAuth2AuthorizationRequestRedirectWebFilter Both dependent classes can be customized . If there is no custom configuration , Then the default will be used .

2. initialization

SeverHttpSecurity Methods configure Will create OAuth2AuthorizationRequestRedirectWebFilter filter . Let's first look at how it was created , The source code is shown below .

protected void configure(ServerHttpSecurity http) {
    
	 OAuth2AuthorizationRequestRedirectWebFilter oauthRedirectFilter = this.getRedirectWebFilter();
   ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = this.getAuthorizationRequestRepository();
   oauthRedirectFilter.setAuthorizationRequestRepository(authorizationRequestRepository);
   oauthRedirectFilter.setRequestCache(http.requestCache.requestCache);
}

establish OAuth2AuthorizationRequestRedirectWebFilter When filtering , If you configure custom authorizationRequestResolver , Then use it to intercept the specified request and parse ; Otherwise, the default parser , The interception request path is /oauth2/authorization.

private OAuth2AuthorizationRequestRedirectWebFilter getRedirectWebFilter() {
    
		//  If a custom  authorizationRequestResolver. Use custom  authorizationRequestResolver
		//  Otherwise, use the default  DefaultServerOAuth2AuthorizationRequestResolver
    return this.authorizationRequestResolver != null ? new OAuth2AuthorizationRequestRedirectWebFilter(this.authorizationRequestResolver) : new OAuth2AuthorizationRequestRedirectWebFilter(this.getClientRegistrationRepository());
}

establish ServerAuthorizationRequestRepository when , If a custom authorizationRequestRepository , Then use custom ; Otherwise, use the default based on Session Storage , hold OAuth2AuthorizationRequest Objects stored in Session in .

private ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> getAuthorizationRequestRepository() {
    
    if (this.authorizationRequestRepository == null) {
    
        this.authorizationRequestRepository = new WebSessionOAuth2ServerAuthorizationRequestRepository();
    }

    return this.authorizationRequestRepository;
}

3. Filter core source code analysis

OAuth2AuthorizationRequestRedirectWebFilter The core function of the filter is ： Intercept the request and redirect it to the third-party authorization server . What requests will be blocked 、 How to redirect ？ With these questions, let's take a look at the source code .

@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
    
	return this.authorizationRequestResolver.resolve(exchange)
			.switchIfEmpty(chain.filter(exchange).then(Mono.empty()))
			.onErrorResume(ClientAuthorizationRequiredException.class,
					(ex) -> this.requestCache.saveRequest(exchange).then(
							this.authorizationRequestResolver.resolve(exchange, ex.getClientRegistrationId()))
			)
			.flatMap((clientRegistration) -> sendRedirectForAuthorization(exchange, clientRegistration));
}


private Mono<Void> sendRedirectForAuthorization(ServerWebExchange exchange,
		OAuth2AuthorizationRequest authorizationRequest) {
    
	return Mono.defer(() -> {
    
		Mono<Void> saveAuthorizationRequest = Mono.empty();
		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationRequest.getGrantType())) {
    
			//  Store in  Session  in 
			saveAuthorizationRequest = this.authorizationRequestRepository
					.saveAuthorizationRequest(authorizationRequest, exchange);
		}
		//  Authorized address 
		URI redirectUri = UriComponentsBuilder.fromUriString(authorizationRequest.getAuthorizationRequestUri())
				.build(true)
				.toUri();
		//  Redirect 
		return saveAuthorizationRequest
				.then(this.authorizationRedirectStrategy.sendRedirect(exchange, redirectUri));
	});
}

4. default authorizationRequestResolver

default authorizationRequestResolver The implementation class is DefaultServerOAuth2AuthorizationRequestResolver. By default, it intercepts requests /oauth2/authorization

public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOAuth2AuthorizationRequestResolver {
    
	public static final String DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";

	public static final String DEFAULT_AUTHORIZATION_REQUEST_PATTERN = "/oauth2/authorization/{"
			+ DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME + "}";

	public DefaultServerOAuth2AuthorizationRequestResolver(
			ReactiveClientRegistrationRepository clientRegistrationRepository) {
    
		// path  matcher 
		this(clientRegistrationRepository,
				new PathPatternParserServerWebExchangeMatcher(DEFAULT_AUTHORIZATION_REQUEST_PATTERN));
	}
}

DefaultServerOAuth2AuthorizationRequestResolver Function return of OAuth2AuthorizationRequest( Authorization request information ), It represents an authorization request .DefaultServerOAuth2AuthorizationRequestResolver How to create it ？ The source code is as follows ：

private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchange,
		ClientRegistration clientRegistration) {
    
	//  Callback url. application.yml Configure the corresponding application configuration callback url
	String redirectUriStr = expandRedirectUri(exchange.getRequest(), clientRegistration);
	Map<String, Object> attributes = new HashMap<>();
	attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
	OAuth2AuthorizationRequest.Builder builder = getBuilder(clientRegistration, attributes);
	
	builder.clientId(clientRegistration.getClientId())
			.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
			.redirectUri(redirectUriStr)
			.scopes(clientRegistration.getScopes())
			//  Prevent requests from being tampered 
			.state(this.stateGenerator.generateKey())
			.attributes(attributes);
	
	this.authorizationRequestCustomizer.accept(builder);

	return builder.build();
}

Method expandRedirectUri Support Uri Variable substitution . For example, in application.yml To configure

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            clientId: "xxxx"
            clientSecret: "xxxx"
            redirectUri: "{baseUrl}/api/oauth2/code/{registrationId}"

5. default authorizationRequestRepository

default authorizationRequestResolver Implementation class of WebSessionOAuth2ServerAuthorizationRequestRepository be based on Session Storage . It will bring OAuth2AuthorizationRequest Store in Session in , Facilitate subsequent requests from Session Remove from .